Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

5/4/2018
10:30 AM
Gary Freas
Gary Freas
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

We're Doing Security Wrong!

When you simply heap technology onto a system, you limit your hiring pool and spread your employees too thin. Focus on your people instead.

If your company produces gadgets that improve cybersecurity, brace yourself. No matter how much we spend on your next great solution, it won't be good enough. There's still one thing we must give more attention, funding, and resources: humans. An organization can implement firewalls, intrusion-detection and intrusion-prevention systems, and artificial intelligence defenses, but they still won't conquer the human factor, the most vulnerable aspect of a cybersecurity plan.

The technological revolution has introduced a plethora of advanced solutions to help identify and stop intrusions. However, data leaks and breaches persist. Shouldn't all this technology stop attackers from gaining access to our most sensitive data?

Historically, Stuxnet, WannaCry, and the Equifax breach are examples of weaknesses in the flesh-and-bone portion of a security plan. These attacks could have been prevented had it not been for human mistakes.

Stuxnet is the infamous worm (allegedly) authored by a joint US-Israeli coalition, designed to slow the enrichment of uranium by Iran's nuclear program. The worm exploited multiple zero-day flaws in industrial control systems, damaging enrichment centrifuges. So, how could this have been prevented?

The Natanz nuclear facility, where Stuxnet infiltrated, was air-gapped. Somebody had to physically plant the worm. This requires extensive coordination, but personnel in Natanz should have been more alert. Also, Stuxnet was discovered on systems outside of Natanz, and outside of Iran. Somebody likely connected a personal device to the network, then connected their device to the public Internet. While Stuxnet went from inside to outside, the inverse could easily have happened by connecting devices to internal and external networks.

WannaCry and its variants are recent larger-scale examples. Microsoft had issued patches for the SMBv1 vulnerability, eventually removing the protocol version from Windows. Still, some 200,000 computer systems were infected in over 150 countries worldwide to the tune of an estimated $4 billion in ransoms and damages. If human beings had updated their systems, we may never have added "WannaCry" to our security lexicon. At least we can use it as an example of the costs of negligence in cybersecurity curricula, right?

The infamous Equifax breach resulted in the compromise of the personal data from millions of people. The culprit? Equifax reported a vulnerability in Apache Struts that had already been patched by the Apache Software Foundation. This attack was described as a "relatively easy" hack, meaning it would not have required a highly skilled technician to execute this attack and compromise the 145 million or so batches of personal data. (PATCH!)

The lesson here? We care too much about gadgets and logical control systems, and not enough about our personnel. Increasing investments in people over more technology aids retention. The IT industry sees a lot of turnover. These decisions are not always about money, but salary is a consideration. Also, if companies were more willing to train their own employees, they would benefit from new skill sets without hiring new personnel. Employee retention enhances familiarity systems. Experienced personnel can quickly address issues. Time is money; downtime is loss of money.

Shallow End of the Hiring Pool
In every conversation I've had with hiring managers, and at every cybersecurity conference I've attended, there has been a common theme concerning the state of IT/IS: there is not enough talent in the hiring pool. But I'd argue that their organizations haven't shown enough willingness to train their own, provide their employees with the opportunity to learn and grow, and hire people they can teach. Too often, job boards are littered with postings chasing unicorns — mythical IT experts with a mix of experience that couldn't exist. If organizations would invest in their own people, they could mold someone into that magical creature rather than banging their head against the job board walls in search of a candidate that doesn't exist.

Invest in training and awareness for your day-to-day operational employees. Give them incentive to pay attention to the sender, content, and links of an email. Give them a sense of ownership of security, so they challenge an unfamiliar face in the hallway. Teach them techniques that attackers will use to socially engineer them, how they can smell a rat, and how they can thwart the attackers' efforts.

I'm not saying you should do away with all technical control systems, of course. However, when you continue to heap technology onto a system, you limit your hiring pool, and you're spreading your employees too thin. Don't create Jacks-and-Jills-of-all-trades. Create masters of yours.

Related Content:

Gary Freas is a cybersecurity professional with 12 years of industry experience in information, installation, and personnel security; cyber threat intelligence; cybersecurity systems engineering; and risk management. After 10 years of naval service as a fire controlman ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...